
Garvin Hicking wrote:
Hi!
https://sourceforge.net/tracker/index.php?func=detail&aid=1312571&group_id=2... 067&atid=377410
i would like to commit this into CVS, if no one is against.
Marc? Michal?
I think this portion:
+foreach( $_GET as $key => $val ) { + if ( ! in_array( $key, $drops ) ) { + $url_querys[] = $key . '=' . $val; + }
allows for XSS attacks to index.php which outputs remote input HTML/JS code.
uuh, sorry fixed this with $url_querys[] = urlencode( $key ) . '=' . urlencode( $val );
Added to that, it seems your patch kills the $cfg['LeftFrameTableSeparator'] functionality of nested table groups in non-light mode. It seems you removed all the PMA_nestedSet() functionality without proper replacement of its content?
did you tried? or took you just a look at the code? $cfg['LeftFrameTableSeparator'] is respected and should be properly displayed - if not pls give me an example of your settings, what you expect and what you got thnx -- Sebastian Mendel www.sebastianmendel.de www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet